CVE-2020-28687

HIGH

Artworks Gallery 1.0 - Unauthenticated Arbitrary File Upload via Edit Profile

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28687. PoCs published by Shahrukh Iqbal Mirza.

AI-analyzed exploit summary This exploit demonstrates an authenticated arbitrary file upload vulnerability in Artworks Gallery 1.0, allowing an attacker to upload a malicious PHP shell via the profile picture update feature, leading to remote code execution.

Description

The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.

Exploits (1)

exploitdb WORKING POC
by Shahrukh Iqbal Mirza · textwebappsmultiple
https://www.exploit-db.com/exploits/49167

This exploit demonstrates an authenticated arbitrary file upload vulnerability in Artworks Gallery 1.0, allowing an attacker to upload a malicious PHP shell via the profile picture update feature, leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Artworks Gallery 1.0
Auth required
Prerequisites: Authenticated user account · Access to the edit profile feature
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/160095/Artworks-Gallery-1.0-Shell-Upload.html

Scores

CVSS v3 8.8
EPSS 0.1189
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
artworks_gallery_in_php\,_css\,_javascript\,_and_mysql_project/artworks_gallery_in_php\,_css\,_javascript\,_and_mysql 1.0
Published Nov 17, 2020
Tracked Since Feb 18, 2026